Analyzing Side-Channel Leakage of RFID-Suitable Lightweight ECC Hardware

  • Erich WengerEmail author
  • Thomas KorakEmail author
  • Mario Kirschbaum
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8262)


Using RFID tags for security critical applications requires the integration of cryptographic primitives, e.g., Elliptic Curve Cryptography (ECC). It is specially important to consider that RFID tags are easily accessible to perform practical side-channel attacks due to their fields of applications. In this paper, we investigate a practical attack scenario on a randomized ECC hardware implementation suitable for RFID tags. This implementation uses a Montgomery Ladder, Randomized Projective Coordinates (RPC), and a digit-serial hardware multiplier. By using different analysis techniques, we are able to recover the secret scalar while using only a single power trace. One attack correlates two consecutive Montgomery ladder rounds, while another attack directly recovers intermediate operands processed within the digit-serial multiplier. All attacks are verified using a simulated ASIC model and an FPGA implementation.


Implementation attack Correlation power analysis Simple power analysis Digit-serial multiplier Elliptic curve cryptography 



The research described in this paper has been supported, in parts, by the European Commission through the ICT Program under contract ICT-SEC-2009-5-258754 TAMPRES, and by the Austrian Research Promotion Agency (FFG) and the Styrian Business Promotion Agency (SFG) under grant number 836628 (SeCoS).


  1. 1.
    Aigner, H., Bock, H., Hütter, M., Wolkerstorfer, J.: A low-cost ECC coprocessor for smartcards. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 107–118. Springer, Heidelberg (2004)Google Scholar
  2. 2.
    Akishita, T., Takagi, T.: Power analysis to ECC using differential power between multiplication and squaring. In: Domingo-Ferrer, J., Posegga, J., Schreckling, D. (eds.) CARDIS 2006. LNCS, vol. 3928, pp. 151–164. Springer, Heidelberg (2006)Google Scholar
  3. 3.
    Amiel, F., Feix, B., Tunstall, M., Whelan, C., Marnane, W.P.: Distinguishing multiplications from squaring operations. In: Avanzi, R., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 346–360. Springer, Heidelberg (2009)Google Scholar
  4. 4.
    Batina, L., Mentens, N., Örs, S.B., Preneel, B.: Serial multiplier mrchitectures over GF(\(2^n\)) for elliptic curve cryptosystems. In: IEEE Mediterranean Electronical Conference - MELECON 2004, May 2004, pp. 779–782. IEEE (2004)Google Scholar
  5. 5.
    Batina, L., Mentens, N., Sakiyama, K., Preneel, B., Verbauwhede, I.: Low-cost elliptic curve cryptography for wireless sensor networks. In: Buttyán, L., Gligor, V., Westhoff, D. (eds.) ESAS 2006. LNCS, vol. 4357, pp. 6–17. Springer, Heidelberg (2006)Google Scholar
  6. 6.
    Bock, H., Braun, M., Dichtl, M., Hess, E., Heyszl, J., Kargl, W., Koroschetz, H., Meyer, B., Seuschek, H.: A milestone towards RFID products offering asymmetric authentication based on elliptic curve cryptography. Invited talk at RFIDsec 2008, July 2008Google Scholar
  7. 7.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)CrossRefGoogle Scholar
  8. 8.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010)Google Scholar
  9. 9.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, C.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Dhem, J.-F., Kœune, F., Leroux, P.-A., Mestré, P., Quisquater, J.-J., Willems, J.-L.: A practical implementation of the timing attack. In: Quisquater, J.-J., Schneier, B. (eds.) CARDIS 2000. LNCS, vol. 1820, pp. 167–182. Springer, Heidelberg (2000)Google Scholar
  11. 11.
    Eberle, H., Gura, N., Shantz, S.C., Gupta, V.: A cryptographic processor for arbitrary elliptic curves over GF(\(2^m\)). In: Deprettere, E., Bhattacharyya, S., Cavallaro, J., Darte, A., Thiele, L. (eds.) Application-Specific Systems, Architectures, and Processors - ASAP 2003, pp. 444–454, June 2003Google Scholar
  12. 12.
    Fürbass, F., Wolkerstorfer, J.: ECC processor with low die size for RFID applications. In: Proceedings of 2007 IEEE International Symposium on Circuits and Systems, May 2007. IEEE (2007)Google Scholar
  13. 13.
    Gebotys, C.H., Gebotys, R.J.: Secure elliptic curve implementations: an analysis of resistance to power-attacks in a DSP processor. In: Kaliski Jr, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 114–128. Springer, Heidelberg (2003)Google Scholar
  14. 14.
    Großschädl, J.: A bit-serial unified multiplier architecture for finite fields GF(\(p\)) and GF(\(2^m\)). In: Koç, C.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 202–219. Springer, Heidelberg (2001)Google Scholar
  15. 15.
    Hankerson, D., Menezes, A.J., Vanstone, S.: Guide to elliptic curve cryptography. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  16. 16.
    Hartigan, J.A., Wong, M.A.: Algorithm AS 136: A K-Means Clustering Algorithm, vol. 28, pp. 100–108. Blackwell Publishing for the Royal Statistical Society, London (1979)Google Scholar
  17. 17.
    Herbst, C., Medwed, M.: Using templates to attack masked montgomery ladder implementations of modular exponentiation. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 1–13. Springer, Heidelberg (2009)Google Scholar
  18. 18.
    Homma, N., Miyamoto, A., Aoki, T., Satoh, A., Shamir, A.: Comparative power analysis of modular exponentiation algorithms. IEEE Trans. Comput. 59(6), 795–807 (2010)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Kirschbaum, M., Popp, T.: Evaluation of power estimation methods based on logic simulations. In: Posch, K.C., Wolkerstorfer, J. (eds.) Proceedings of Austrochip 2007, 11 October 2007, Graz, Austria, pp. 45–51. Verlag der Technischen Universität Graz, Graz (2007). ISBN 978-3-902465-87-0Google Scholar
  20. 20.
    Kocher, P.C.: Timing attacks on implementations of diffie-hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  21. 21.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  22. 22.
    Kumar, S.S., Paar, C.: Are standards compliant elliptic curve cryptosystems feasible on RFID? In: Workshop on RFID Security - RFIDSec 2006 (2006)Google Scholar
  23. 23.
    Lee, Y.K., Sakiyama, K., Batina, L., Verbauwhede, I.: Elliptic-curve-based security processor for RFID. IEEE Trans. Comput. 57(11), 1514–1527 (2008)MathSciNetCrossRefGoogle Scholar
  24. 24.
    López, J., Dahab, R.: Fast multiplication on elliptic curves over GF(\(2^{\rm m}\)) without precomputation. In: Koç, C.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 316–327. Springer, Heidelberg (1999)Google Scholar
  25. 25.
    Mangard, S., Oswald, E.: Power analysis attacks - revealing the secrets of smart cards. Springer, Heidelberg (2007). ISBN 978-0-387-30857-9zbMATHGoogle Scholar
  26. 26.
    Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009)Google Scholar
  27. 27.
    Möller, B.: Securing elliptic curve point multiplication against side-channel attacks. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 324–334. Springer, Heidelberg (2001)Google Scholar
  28. 28.
    National Institute of Standards and Technology (NIST). FIPS-186-3: Digital Signature Standard (DSS). (2009)
  29. 29.
    NXP. Jcop 41 v2.3.1 java card (2007)Google Scholar
  30. 30.
    Orlando, G., Paar, C.: A high-performance reconfigurable elliptic curve processor for GF(\(2^m\)). In: Koç, C.K., Paar, C. (eds.) CHES 2000. LNCS, vol. 1965, pp. 41–56. Springer, Heidelberg (2000)Google Scholar
  31. 31.
    Örs, S.B., Oswald, E., Preneel, B.: Power-analysis attacks on an FPGA – first experimental results. In: Walter, C.D., Koç, C.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 35–50. Springer, Heidelberg (2003)Google Scholar
  32. 32.
    Oswald, E.: Enhancing simple power-analysis attacks on elliptic curve cryptosystems. In: Kaliski Jr, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 82–97. Springer, Heidelberg (2003)Google Scholar
  33. 33.
    Öztürk, E., Sunar, B., Savas, E.: Low-power elliptic curve cryptography using scaled modular arithmetic. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 92–106. Springer, Heidelberg (2004)Google Scholar
  34. 34.
    Pan, W., Marnane, W.P.: A correlation power analysis attack against tate pairing on FPGA. In: Koch, A., Krishnamurthy, R., McAllister, J., Woods, R., El-Ghazawi, T. (eds.) ARC 2011. LNCS, vol. 6578, pp. 340–349. Springer, Heidelberg (2011)Google Scholar
  35. 35.
    Side-channel attack standard evaluation board. The SASEBO Website.
  36. 36.
    Walter, C.D.: Sliding windows succumbs to Big Mac attack. In: Koç, C.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 286–299. Springer, Heidelberg (2001)Google Scholar
  37. 37.
    Walter, C.D.: Simple power analysis of unified code for ECC double and add. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 191–204. Springer, Heidelberg (2004)Google Scholar
  38. 38.
    Witteman, M.F., van Woudenberg, J.G.J., Menarini, F.: Defeating RSA multiply-always and message blinding countermeasures. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 77–88. Springer, Heidelberg (2011)Google Scholar
  39. 39.
    Wolkerstorfer, J.: Is elliptic-curve cryptography suitable for small devices? In: Workshop on RFID and Lightweight Crypto, 13–15 July 2005, Graz, Austria, pp. 78–91 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.Institute for Applied Information Processing and CommunicationsGraz University of TechnologyGrazAustria

Personalised recommendations